Under the Commission’s draft EHDS Regulation, electronic health data could be further processed for specific purposes, such as scientific research in the health and care sectors, development activities and innovation for products or services contributing to public health or social security, or for the purposes of training, testing and evaluating algorithms.
The EDPB and the EDPS have expressed concerns about secondary use for development and innovation activities, as well as for the training, testing and evaluation of algorithms, and strongly recommend that these purposes be further delimited and limited to cases where there is a sufficient link with public health and/or social security.
What categories of data should be made available and by whom?
Under the draft EHDS regulations, “data holders” are required to make a very wide range of electronic health data available to data users for secondary use. The definition of “data holder” is broad and includes an entity in the health or care sector, or carrying out research in connection with these sectors, with the right, the obligation or the ability to make certain data available. The EHDS clearly states that private entities are included in the scope of “data holders”, so the term could apply to pharmaceutical companies.
The categories of data to be made available include data processed for the provision of health or care services, or for the purposes of public health, research, innovation, policy development, official statistics, security patients or for regulatory purposes. As currently expressed, this definition appears to cover all electronic health data an entity may hold without any sort of limitation. For example, health data is not limited to data collected for the purpose of providing health or care services and as such is likely to capture clinical trial and safety related data.
It is unclear whether unstructured data should be provided or whether the data holder would be required to convert the format of electronic health data for secondary use if it is not in an interoperable format. Stakeholders would benefit from more guidance on exactly what data should be made available and by whom.
The role of health data access authorities
Health Data Access Bodies, established by EU Member States, will play an important role in providing access to electronic health data for secondary use.
Generally, potential data users will be required to submit requests to health data access organizations to access datasets, and health data access organizations will have the authority to adjudicate on requests and authorize and issue data permits. Where a data permit is granted, the data holder will be required to provide the dataset to the health data access body, which will in turn ensure that the electronic health data is shared with the user of the data in an anonymized format via a secure processing environment, which the health access structures will be responsible for coordinating.
Where a data user’s purpose cannot be achieved by processing anonymized data, the health data access body will be permitted to provide a data user with access to electronic health data in a pseudonymised format. after reviewing the Data User’s reasons for requesting such access – which should be detailed in the Data Access Request. However, this would not override national legal requirements to obtain, for example, an ethics review from a research ethics committee or data protection authority.
In circumstances where a Data User seeks access to Electronic Health Data from a single Data Holder in a single Member State, the Data User in question may file a Data Subject Access Request or a data directly from the data holder. In this case, it will be the responsibility of the data holder to anonymize or pseudonymize the data, as the case may be, before its disclosure.
Opportunities and risks for pharmaceutical companies
The opportunities that the EHDS could unlock for the pharmaceutical sector are vast, but there is also significant uncertainty about how the proposal should be interpreted and what protections it offers. We have presented some examples of opportunities and risks below.
Provides a legal basis for processing health data under the GDPR
The legal basis for processing health data under the General Data Protection Regulation (GDPR) requires special attention given its sensitivity. The draft EHDS Regulation aims to support stakeholders by clarifying the legal bases for processing and the grounds for exceptions to the general prohibition to process special categories of personal data, such as health data, which applies under Article 9 of the GDPR.
However, the EDPS and the EDPS have expressed concern about the lack of reference to GDPR principles in the criteria of the draft EHDS Regulation for the assessment of data access requests. For example, there is no reference to an assessment of the legal basis on which data users can process electronic health data for secondary purposes.
There is also ambiguity as to how the draft EHDS Regulation will interact with national laws on the processing of special categories of personal data that EU Member States may have developed using the powers available to them in under the GDPR, which may include local requirements for obtaining research ethics. committee evaluations, for example.
Given the Commission’s express desire to “build” on the GDPR with the EHDS, it will be interesting to see if more guidance and legislation will be forthcoming on this.
Secure Processing Environments
The EHDS aims to ensure that electronic health data is accessible through secure processing environments that comply with high technical and security standards, thus offering strong technical and security safeguards. Expert groups may be created under the draft EHDS regulations to advise on the minimum requirements and technical specifications of these environments to reduce the privacy risks associated with the processing of health data.
So far, no information has been provided on the functionality of secure processing environments and how they will support the use of electronic health data for secondary use in a meaningful way – for example , how lessons could be extracted from the secure processing environment when a dataset is used to train artificial intelligence systems.
However, some Member States already have examples of “secure processing environments” in place. The development of these programs can give a first indication of the functioning of a centralized EHDS.
An example of this is the Health Data Lab, created by the German Federal Institute for Drugs and Medical Services. It is designed to provide researchers and public institutions with access to anonymized or “synthetic” health claim datasets in a secure processing environment for analysis by artificial intelligence tools.
Data and intellectual property rights
Intellectual property (IP) rights are considered the crown jewels of pharmaceutical companies, so it’s no surprise to see that the draft EHDS regulations instruct health data access organizations to take all necessary measures. necessary to preserve the confidentiality of IP rights and trade secrets that may subsist in a data set. That said, there is very little clarity on the exact measures that will be available to protect the rights of data holders when providing data, and data users when generating and extracting data from the secure processing.
With respect to information generated in the secure processing environment, the results or results of secondary purposes of use, including information relevant to the provision of health care, must be made public by a data user in an anonymized format no later than 18 months after processing. has been completed or the data user has received the response to their data request. The draft EHDS regulations provide limited details on how this information will be protected.
Copyright may protect the way an idea was expressed, but it will not apply to the idea itself. An insight could qualify for protection if it is patentable, subject to confidentiality, or meets the requirements for protection as a trade secret. Database rights are unlikely to provide sufficient protection to a data user’s results.
A clear position on the protection of intellectual property rights offered under the EHDS will be essential, as prolonged uncertainty may discourage investment in R&D activities.
To look forward
Greater clarity on how the EHDS should be interpreted and the protections that apply is needed if the initiative is to reach its full potential.
Public confidence must also be encouraged. The safeguards offered by the secure processing environments on offer could help build public trust, but transparency and user control are also important factors. Currently, individuals do not have the right to opt out of having their health data used for secondary purposes – something the EDPS and the EDPS have stressed needs to change.
While these points are not fully addressed by the Council of Ministers and the European Parliament in the EHDS proposals, guidance and implementing acts will be important to address some of the concerns businesses may have with the initial proposal published by the Commission.
Written by Anita Basi of Pinsent Masons.